Wednesday, 24 July 2013

Where are we with spam now?

Well, firstly, the one court case (against Huxley) is getting silly. They agreed to settle in no uncertain terms and then changed their mind, so I am probably suing for breach of contract which is not very satisfying. If I lose that i can still proceed with the spam case though.

But I have been chatting with other ISPs and we are really seeing an increase in this new type of spam.

  • From UK companies
  • HTML emails
  • Well formed enough to pass spam assassin
  • Sent to somewhat silly and often made up email targets (one ISP said they seemed to be trying whole dictionaries)
  • Showing company name, company address, company number, even VAT number, making it easy to action.
  • Including an unsubscribe link
It gives me the impression that this is some scammers selling UK companies junk mailing, and probably telling them that following some rules means they are legal. After all, company name and registration details and unsubscribe links!

We have had replies suggesting senders believe they meet ICO guidelines and are complying with Data Protection Act rules by having an unsubscribe link. So what?

None of this addresses the Privacy an Electronic Communications Regulations issues that we are trying to tackle. I don't think I am going mad here, read the regs yourself. The regs are pretty clear, you cannot send unsolicited marketing emails to an individual subscriber unless the recipient has consented to you sending or the email address was obtained from a sale or negotiation to the recipient by the sender and it is email about related products and where there was an unused opt out at that time and each subsequent time.

I know that is long winded, but key things from that are:-

  • The recipient has to have notified the sender of consent. If I notified company A of consent, and company A sells to company B, and company B sends email to me then that is not valid as I have not notified that sender (company B) of my consent.
  • Even if company A got the email via sale or negotiation with me and gave me an opt out which I did not use, as sold to company B, that is not valid as company B did not obtain by sale or negotiation with the recipient.
It seems to me that saying that you "bought the list" (even from a reputable supplier) is an admission of guilt - you are making it clear that you, as sender, did not meet the rules for obtaining the email address or getting consent.

The ICO need to make this clear on their web site and tell spammers that it is illegal.

I have had two key issues with trying to get money out of spammers:-
  1. It has to be an individual subscriber. It turns out that I am the individual paying A&A for the email services on all of the A&A domains, so even for "company emails" I am the individual subscriber, and for many I am the recipient of the email. So that is sorted. However, I have many emails to mad- up email addresses at some of my domains. This is very clearly an individual subscriber with no doubt. Even the domain has to be registered to an individual. So I'll probably try action for these emails first.
  2. How to asses the damages. This is where I am getting creative by arranging that A&A will pay the subscriber (me) £50 compensation for a spam getting passed the filters. That means A&A have suffered a clear and demonstrable loss as a result of the breach of the regulations. Section 30 says: "A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage". It does not require that the person suffering damages be the recipient, so A&A can then sue for the £50 damages. Worth a try.
So next step is to action one of the 60 or so warnings sent in the last week. I need to allow the full 14 days I offered in my notice, and should pick one of the more clear cut cases of a domain which is an email address I have never used ever (I don't go by the name Rachel, even at weekends) and so did not provide to any list or web site or forum. I'll post how it goes, but it will take weeks.


  1. So there's no sort of defined damages? How is an individual supposed to use these laws?

  2. I very much hope this succeeds; the rules seem clear-cut to me, but ICO were depressingly disinterested the one time I contacted them about this (their dubious dismissal of all University-provided accounts as "not individual", even when it's an individual paying the University for a package of services which happens to include e-mail). I take it the spam you're seeing is sent from overseas IP addresses, so difficult for ISPs here to terminate - and no leverage from threats to terminate the spamvertised websites?

    My persistent anonymous robo-caller finally slipped and revealed a phone number yesterday ("press 1 to be phoned yet again to sell you solar panels, 8 for us to lie that you'll be removed from our list" ... 5 also triggers a callback, it seems, and that one isn't made from a non-CLID network), so I've filed a TPS complaint against "Greener Futures".

    Quite why businesses are allowed to make anonymous calls in the first place, I don't know, but it's very irritating getting junk calls when I can't even identify the caller, let alone complain about them!

    1. If they're using a robo-caller they're already breaking the law, so outlawing anonymous calls isn't going to help. I think someone did once tell me that cold-callers weren't allowed to withhold their CLID, but I don't know if that's actually true.

      Usually I push 5 (or whatever) and then ask the robo callers for their company name, number and address; unfortunately that usually results in an immediate hangup so its clear that they already know they are breaking the law. Occasionally I get told that they don't have a limited company number, which makes them seem pretty legit as I'm sure you'll agree. :)

      However, the one good thing about them withholding their CLID is that you can set up your PBX to automatically drop them into an IVR without affecting the rest of your callers.

    2. As a business, we have taken the decision not to accept calls from withheld or unavailable CLIDs on our normal geographic numbers. Callers are told this and then advised to ring our 0871 number (at 10p/min) if they have no way of releasing their caller ID - we will call them back if it's legitimate!

      All of a sudden the phone now only rings when it's somebody we want to speak to. Brilliant!

    3. "However, the one good thing about them withholding their CLID is that you can set up your PBX to automatically drop them into an IVR without affecting the rest of your callers."

      Irritatingly, rather than explicitly withhold the number, these people have managed to arrange to be "number unavailable" for CLID purposes. (Worse still, a few entities - including the Council my mother used to work for, and my old optician - use number withheld. Fortunately, she has since left and I have changed opticians, so I could probably re-block withheld calls at least.)

      What I would like to see now is a short code for reporting such nuisance calls - say, 1479 - which would flag the last incoming call for possible enforcement. The worst offenders should be trivially obvious: slap the first few with six figure fines and the rest should re-think their scam.